ONAPSIS-SAP Security in-Depth Vol 04

SAP Security In-Depth® The Invoker Servlet: A Dangerous Detour into SAP Java solutions by Mariano Nuñez Di Croce & Jordan Santarsieri Vol. 4 / July 2011 Abstract SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, customers can also deploy their own custom Java applications over these platforms. On December 2010, SAP released an important white-paper describing how to protect against common attacks to these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality introduces several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms. This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber attacks. © 2011 Onapsis SRL. All Rights Reserved. Onapsis offers no specific guarantee regarding the accuracy or completeness of the information presented. R/3. SAP. Crystal Decisions. Crystal Reports. SAP Business ByDesign. Web Intelligence. No portion of this document may be reproduced in whole or in part without the prior written permission of Onapsis SRL. Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. and SAP Group shall not be liable for errors or omissions with respect to the materials. Business Objects and the Business Objects logo. and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. PartnerEdge. SAP NetWeaver.All rights reserved. Duet. This publication contains references to the products of SAP AG. xApp. BusinessObjects. .© Copyright Onapsis SRL 2011 . xApps. but the professional staff of Onapsis makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. ByDesign. While this kind of security is mandatory and of absolute importance. allowing all the different actors (financial managers. the failure to protect these components can leave the business information at risk for espionage.What is the SAP Security In-Depth Publication? Until these days. consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. auditors. information security managers. . SAP security keeps being regarded as a synonym of Segregation of Duties (SoD) or security of roles and profiles by most part of the professional community. SAP Security In-Depth is a publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in this matter. SAP administrators. fraud and sabotage attacks. Translating this to business terms. can be subject to information security attacks to the confidentiality. The technological components of these business-critical solutions introduce many specific security aspects that. there are many threats that have been so far overlooked by the Auditing and Information Security industries and entail much higher levels of business risk. integrity and/or availability of the critical business information processed by these systems. if not implemented appropriately. ...................................................................................................................................... 9 4...... SAP Invoker Servlet Detour Attacks....... SAP Java Applications basics....................... Conclusions.......................... 10 5.. Introduction................................................12 6....................................................................................................................... Countermeasures............................................................................. 3 Executive Summary..........................TABLE OF CONTENTS What is the SAP Security In-Depth Publication?...................7 3....................................... Which could be the real-world impact?............................................................................... 6 2......................... Introduction to the Invoker Servlet.......14 ......................................... 13 7....................... 5 1........... of the most outstanding concepts and risks presented in this volume. The security of SAP Java platforms is equally important and must be tightly enforced. Key concepts analyzed in this edition: • • • • Several critical standard SAP and custom applications are supported by Java Application Servers. This edition analyzes the root cause of this vulnerability. One of the presented security measures is related with a critical security vulnerability.com/~form/sapnet? _SHORTKEY=01100035870000733716&_SCENARIO=01100035870000000202& © 2011 Onapsis S. we consider it's important to provide the Management-level officers with an executive summary. SAP released a new white-paper 1 describing how to protect against attacks to these platforms. malicious hackers to bypass authentication mechanisms and perform unauthorized business activities over the vulnerable SAP systems.L. whose exploitation (code-named Invoker Servlet Detour attack) can result in severe business attacks. Key findings and risks: Customers have been traditionally focused in securing ABAPbased SAP systems. The white-paper released by SAP in December is a must-read for any SAP security professional.sap.SAP Security In-Depth . which were in the need of a more in-depth analysis to better understand and manage existing risks. Invoker Servlet Detour attacks may allow remote.R. 1 http://service. The root cause and impact of the Invoker Servlet vulnerability was not clear for many customers. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions EXECUTIVE SUMMARY While the SAP Security In-Depth publication delves into highly technical security aspects of these platforms.Vol. On December 2010. how to identify and mitigate it. using a non-technical language. 5 . SAP has adopted and extended the J2EE standard for supporting its business applications. Over the last decade. SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). INTRODUCTION On December 2010.and ABAP-based SAP Applications against common attacks.R. there was a particular one that many customers and security professionals were failing to properly understand: the vulnerability related to the Invoker Servlet.onapsis. These solutions serve different needs. customers and third-parties also develop and run their own J2EE applications on top of these platforms. Different from the previous issue released on September 2010 2.SAP Security In-Depth . whose core engine is known as the SAP J2EE Engine.pdf 3 Onapsis X1 is the first solution to automatically check for compliance with this guidelines.L. assess and mitigate Invoker Servlet Detour attacks to better protect customers' SAP platforms against real-world threats. 2 https://websmp203. sales or payment-related external systems. enabling the proper understanding of how to detect. this last document also comprises the protection of one of the others fundamentals of SAP platforms: Java-based solutions. logistics. Onapsis followed-up on the release of this white-paper over the last months. As a leading collaborator in discovering and solving vulnerabilities in SAP systems. For more information check http://www. SAP released a white-paper titled SAP Security Recommendations: Protecting Java. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 1.com/x1 © 2011 Onapsis S. 6 . Apart from the sensitive out-of-the-box functionality provided by these solutions. helping several customers to comply with the required measures in order to keep their systems protected against the latest threats. Among these requirements.de/~sapdownload/011000358700000968282010E/SAP-SecRec.sap-ag. This highly important document describes a set of “measures SAP strongly recommends that its customers apply to enhance the level of security with respect to certain common attack types”. The present publication has the goal of providing an in-depth analysis of this security threat.Vol. which only outlines security recommendations for ABAP-based SAP systems 3. tax. Some examples include SAP Enterprise Portal (EP). such as working as front-ends to the back-end SAP ABAP systems and/or handling critical functionality such as interfaces with banking. SAP Exchange Infrastructure (XI). several widely-used SAP solutions require the deployment of SAP Application Servers Java. Nowadays. SAP Security In-Depth ..xml file.Vol.. As an example. <servlet> <servlet-name>privateServlet1</servlet-name> <servlet-class>com.company. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 2.xml file. Just as standard J2EE applications. SAP Java applications are configured through a web. <servlet-mapping> <servlet-name>privateServlet1</servlet-name> <url-pattern>/private</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>publicServlet2</servlet-name> <url-pattern>/public</url-pattern> </servlet-mapping> … <security-constraint> <display-name>rd</display-name> <web-resource-collection> <web-resource-name>rd</web-resource-name> <url-pattern>/private/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <description>Administrators</description> <role-name>administer</role-name> </auth-constraint> </security-constraint> … Table 1: Sample Java application © 2011 Onapsis S. how they are mapped for user access and the security constraints around them. 7 . among other things.pivateServlet1Interface</servlet-class> </servlet> <servlet> <servlet-name>publicServlet2</servlet-name> <servlet-class>com.company.L. specifies part of the configuration of an application which serves some public content freely.publicServlet2Interface</servlet-class> </servlet> . This file declares. SAP JAVA APPLICATIONS BASICS In order to understand the vulnerability exploited by the Invoker Servlet Detour attack. it is first necessary to familiarize with certain aspects of the configuration of SAP Java applications.R. the servlets in use in the application. but wishes to restrict access to certain private functionality only to a group of Administrators: .. the following excerpt of an web. Vol. Therefore. if an anonymous attacker tries to access the application using the defined URL mapping (http://sap-server/appname/private).SAP Security In-Depth . access will be denied.L.R. This servlet has its own class (servlet-class attribute) and is mapped to a specific URL (urlpattern attribute). 8 . Otherwise. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions As shown in the file. the SAP Application Server Java will demand that any client that tries to connect to the /private mapping. The security-constraint area defines on which specific URL (url-pattern attribute) the authorization check is to be performed. he will be required to enter authentication credentials: Picture 1: Security constraint working properly © 2011 Onapsis S. In this scenario. there is one servlet called privateServlet1. has the administer role (mapped internally to a real SAP role). xml file. © 2011 Onapsis S. Therefore.SAP Security In-Depth . which is part of the standard J2EE specification of Sun (now Oracle). INTRODUCTION TO THE INVOKER SERVLET The SAP J2EE Engine has a wide set of built-in functionality.xml) or by its fully qualified servlet class name (declaration not necessary in web. It was conceived as a rapid development instrument. This servlet is implemented in the InvokerServlet class.xml). it is possible to call a servlet by its name (which is declared in the web. which is part of the SAP J2EE Engine's Web container. One of these functionalities is the Invoker Servlet.R. The security implications of this functionality in SAP systems are explained in the following section.Vol. 9 . 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 3. allowing developers to test their custom Java applications without the need to declare them in the web. using the Invoker Servlet. providing a comprehensive framework of libraries and services to support the development and deployment of Java applications.L. WEB-INF\lib and WEB-INF\additionallib application directories.L.Vol. SAP INVOKER SERVLET DETOUR ATTACKS The Invoker Servlet functionality introduces several security threats to the SAP Java applications. In order to illustrate this point. 10 . Therefore. such as the classes located in the WEB-INF\classes. the servlet's developer included a special parameter to avoid validating the source account identity during internal QA. However. the possibility of performing arbitrary calls to them can result in unforeseen actions over the SAP server.1. the parameter is initialized properly: <servlet> <servlet-name>DoPaymentServlet</servlet-name> <servlet-class>com. This situation can lead to unforeseen security impacts. when the application is deployed to production. if the servlet is called through its fully-qualified class name. Many of the servlets shipped in a Java application have not been designed for direct client access. the web. but for internal interaction within the application.company. it is instanced without the parameters being initialized. Exploitation of Non-initialized Servlet Parameters For each servlet. 4.2. Execution of Arbitrary Servlets It would be possible for an attacker to call arbitrary servlets. 4.xml file.DoPaymentServlet</servlet-class> <init-param> <param-name>validate_source_account</param-name> <param-value>True</param-value> </init-param> </servlet> Table 2: Servlet with initialization parameters © 2011 Onapsis S. To speed-up the project's testing. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 4.SAP Security In-Depth . Of course. The problem is that this automatic initialization takes place only if the servlet is called by its defined URL mapping or its name (servlet-name attribute). This includes any servlet class that is available to the application classloader.R.xml can also define parameters that are initialized by the SAP J2EE Engine Web container when the servlet is loaded. which are described below. even though they have not been declared in the application's web. consider the following sample servlet. which handles payments for an external banking interface. .company. the security constraint only applies when the mapping for /private/* is detected. 4.” is not defined (and supposing the privateServlet1 is not performing a programmatic authorization check).Vol.. there is an authentication and authorization check performed if a client wants to access anything matching the /private/* virtual mapping. accessing the /appname/servlet/com. using the following URL: http://sap-server/appname/servlet/com.3.DoPaymentServlet URL.R. However. According with the configured security-constraint in the sample application presented in Table 1. Picture 2: Authentication Bypass through an Invoker Servlet Detour attack © 2011 Onapsis S. 11 . effectively bypassing the SAP Java authentication and authorization mechanism. Authentication Bypass in SAP Java Applications While the previously described security threats must not be underestimated. it might be possible for the attacker to abuse this situation and perform fraudulent payments. an attacker would access the servlet via it's fully-qualified servlet class name. As a mapping that matches “/servlet/.SAP Security In-Depth . through an Invoker Servlet Detour attack.xml file.L. the validate_source_account parameter will not be initialized to True.company. Depending on how the application's code handles the initial value for this parameter. the Invoker Servlet vulnerability introduces an even major security threat to SAP platforms. the attacker would be able to execute the privateServlet1 servlet.privateServlet1Interface The problem is that. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions If an attacker performs an Invoker Servlet Detour attack to this application. as it was defined in the web. R.SAP Security In-Depth .Vol. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 5. 12 . © 2011 Onapsis S. PI. XI. MI systems. just as the security constraints in these applications could be bypassed by a malicious attacker. and possibly perform espionage. sabotage and fraud attacks over the business-critical information and processes managed by them. WHICH COULD BE THE REAL-WORLD IMPACT? In this document. fictitious Java applications have been used to provide an indepth understanding of the Invoker Servlet Detour attacks. if the systems are not properly protected.L. the same could happen to many of the standard SAP applications running in vulnerable SAP Application Servers Java. such as SAP Enterprise Portals. However. it would be possible for malicious attackers to bypass authentication mechanisms in critical components. etc. This means that. 30.Vol. 4. © 2011 Onapsis S. For more information. Update to the latest patch level according your SAP platform. please check the official SAP white-paper. by changing the value of the “EnableInvokerServletGlobally” property of servlet_jsp on the server nodes to False.L. If any of your existing applications require the use of the Invoker Servlet feature. 3. In order to do so. please check SAP Note 1445998 . please check SAP Note 1467771. The SAP Invoker Servlet has been disabled by default in SAP NetWeaver 7.20 (See SP Patch level section in SAP Note 1445998 for more details) and in the initial shipment of SAP NetWeaver 7. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 6. COUNTERMEASURES It is strongly recommended to disable the Invoker Servlet to protect your systems against these attacks.SAP Security In-Depth . Disable the invoker servlet functionality. 13 . 2. If you are using SAP NetWeaver Portal. the next steps must be followed: 1.R. For further information into this subject or to request specialized assistance.R.Vol.onapsis.L. 14 . detecting vulnerable systems and providing detailed mitigation activities. CONCLUSIONS Protecting SAP Java Applications Servers is critical for the overall security of the SAP platform. These systems have a completely different security architecture and therefore its necessary to understand them deeply in order to be protected against the real-world threats that could result in severe attacks to the business. and will be covered in a future publication.SAP Security In-Depth .com/x1 © 2011 Onapsis S. In this sense. Onapsis X1 Enterprise 2 4. providing an in-depth analysis of the root cause of the vulnerability being exploited. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 7. It's highly critical to analyze whether your platform is affected by this vulnerability. the first-and-only SAPcertified Security Assessment solution for SAP NetWeaver. This document has focused only on one of the threats. the Invoker Servlet Detour attack.com 4 http://www. raising the overall security level of the platforms and reducing business risks. feel free to contact Onapsis at info@onapsis. A comprehensive assessment of all the security threats affecting these platforms was out of the scope of this document. can be of great help to automatically evaluate your entire platform. By following the recommendations presented in this publication it is possible to decrease the probability of attacks in this aspect. the possible impacts for the business and how to mitigate it. R. currently supporting SAP® NetWeaverTM and R/3® business solutions. As a result. Perform automated IT Security & Compliance Audits.com/x1 Onapsis X1 Enterprise 2 is © 2011 Onapsis S. Using Onapsis X1 you can decrease financial fraud risks. sabotage and fraud attacks to your critical business information. Being the first and only SAP-certified Security Assessment solution.onapsis. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions About Onapsis X1 Onapsis X1TM is the industry's first comprehensive solution for the automated security assessment of ERP systems and business-critical infrastructure. Onapsis X1 Enterprise automatically discovers and remotely connects to every SAP system in your organization and detects the growing number of security risks that can result in espionage.SAP Security In-Depth .Vol. Get more information at www. you are provided with a wide-range of actionable reports that allows you to mitigate existing risks appropriately. enforce compliance requirements and reduce audit costs drastically.L. Vulnerability Assessments and Penetration Tests over your SAP platform. Onapsis X1 Consulting Pro enables you to safely and easily demonstrate which are the real business risks of the existing technical weaknesses. 15 . through our exclusive BizRisk IllustratorTM technology. Furthermore. Onapsis helps its global customers to effectively increase the security level of their core business platforms. Subject to Terms of Use available at http://www. All Rights Reserved.com © 2011 Onapsis SRL. Onapsis is built upon a team of world-renowned experts in the SAP security field. enforce compliance requirements and reduce audit costs drastically.html The Onapsis and Onapsis Securing Business Essentials names and logos and all other names. . Onapsis X1 is the industry's first comprehensive solution for continuous ERP security assessment. such as Fortune-100 companies and governmental entities. www. Through Onapsis X1 customers can decrease business fraud risks.About ONAPSIS Onapsis is the leading provider of solutions for the security of ERP systems and business-critical infrastructure.onapsis. with several years of experience in the assessment and protection of critical platforms in world-wide customers. and slogans identifing Onapsis's products and services are trademarks and service marks or registered trademarks and service marks of Onapsis SRL.com. All other trademarks and service marks are the property of their respective owners. logos. For further information about our solutions. please contact us at info@onapsis. currently supporting SAP platforms.onapsis. Through different innovative products and services.com/legal/terms-of-use. protecting their information and decreasing financial fraud risks.